[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <44c96038dc3b3e78d2bb763ad5ea1e989694a68e.1594377971.git.dcaratti@redhat.com>
Date: Fri, 10 Jul 2020 12:55:08 +0200
From: Davide Caratti <dcaratti@...hat.com>
To: Michael Chan <michael.chan@...adcom.com>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Cc: jtoppins@...hat.com, feliu@...hat.com
Subject: [PATCH net] bnxt_en: fix NULL dereference in case SR-IOV configuration fails
we need to set 'active_vfs' back to 0, if something goes wrong during the
allocation of SR-IOV resources: otherwise, further VF configurations will
wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
like the ones in the following sequence:
# echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
# ip link set dev ens1f0np0 up
# ip link set dev ens1f0np0 vf 0 trust on
will cause a kernel crash similar to this:
bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
BUG: kernel NULL pointer dereference, address: 0000000000000014
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 43 PID: 2059 Comm: ip Tainted: G I 5.8.0-rc2.upstream+ #871
Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
FS: 00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
do_setlink+0x994/0xfe0
__rtnl_newlink+0x544/0x8d0
rtnl_newlink+0x47/0x70
rtnetlink_rcv_msg+0x29f/0x350
netlink_rcv_skb+0x4a/0x110
netlink_unicast+0x21d/0x300
netlink_sendmsg+0x329/0x450
sock_sendmsg+0x5b/0x60
____sys_sendmsg+0x204/0x280
___sys_sendmsg+0x88/0xd0
__sys_sendmsg+0x5e/0xa0
do_syscall_64+0x47/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.")
Reported-by: Fei Liu <feliu@...hat.com>
CC: Jonathan Toppins <jtoppins@...hat.com>
CC: Michael Chan <michael.chan@...adcom.com>
Signed-off-by: Davide Caratti <dcaratti@...hat.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index 3a9a51f7063a..392e32c7122a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -396,6 +396,7 @@ static void bnxt_free_vf_resources(struct bnxt *bp)
}
}
+ bp->pf.active_vfs = 0;
kfree(bp->pf.vf);
bp->pf.vf = NULL;
}
@@ -835,7 +836,6 @@ void bnxt_sriov_disable(struct bnxt *bp)
bnxt_free_vf_resources(bp);
- bp->pf.active_vfs = 0;
/* Reclaim all resources for the PF. */
rtnl_lock();
bnxt_restore_pf_fw_resources(bp);
--
2.26.2
Powered by blists - more mailing lists